Cupfighter.net

Some cupfighters are going to TechEd Europe 2009. In fact the company we work for, Schuberg Philis, organizes the dutch country drink together with Microsoft.

We will blog during this event, and try to post major announcements, being made during TechEd, on this site as fast as we can. So keep an eye on this site or twitter!

http://www.schubergphilis.com/countrydrink

Read more…

Another good (shoudl I say brilliant?) information from our collegue Elianne van der Kamp.

Yesterday we discovered an issue with Windows 2008 clusters: manually added persistent routes disappear from the active routes table, when taking offline (or failing over) a cluster group containing an ip-address-resource.

This issue is documented here. This same article also describes a workaround for when you have multiple gateways on multiple NIS’c.

By changing your route add command from e.g. <route add 10.1.0.0 mask 255.255.255.0 10.1.0.1 –p> to <route add 10.1.0.0 mask 255.255.255.0 0.0.0.0 if 25>

With this second command you bind the route to the interface instead of an ip-address. And since it is now bound to a local device any cluster failover will leave the route in the routing table.

However this will not solve the issue we discovered yesterday: We are using 2 gateways ‘behind’ the same interface. So binding the route to the interface will not help here.

Example interface 18: 192.168.251.36 mask 255.255.255.0 192.168.251.1, with added route 192.168.250.0 mask 255.255.255.0 192.168.251.3 –p.

When an ip-address will be taken offline (fails over) the Active route 192.168.250.0 255.255.255.0 192.168.251.3 will be removed.

Accidentally we found out that adding the interface to the route will solve this new issue (thanks our collegue Enrico). So our new route command will have to look like this:

<Route add 192.168.250.0 mask 255.255.255.0 192.168.251.3 if 18>. This will leave the route in the active routes table.

Why does this work? And is it reliable?

Since we couldn’t find any google/Microsoft hits on this particular issue, we had to do a little registry digging.

The standard command <Route add 192.168.250.0 mask 255.255.255.0 192.168.251.3 > just adds the persistent route to the registry which triggers the ‘bug’.

However the new command <Route add 192.168.250.0 mask 255.255.255.0 192.168.251.3 if 18> also makes 14 changes in the cluster part of the registry telling it that this route is bound to the adapter and to be left behind on the local server in case of a failover

So I think it look pretty reliable. We did lots of reboots and failovers on the cluster and the routes seem pretty persistent now..

When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx

This afternoon/evening, Security Justice will hold their 1st Annual International Podcast BBQ to celebrate US labor day.

The BBQ will feature our Schuberg Philis colleague Frank Breedijk as blogger for cupfighter.net and author of AutoNessus

At 15:00 EST (20:00 GMT) they will kick off by firing up the grill and opening the (probably not first) beers. After this there will be a series of interviews:

16:00 EST (21:00 GMT)  – Our own Frank Breedijk (@autonessus)
17:00 EST (22:00 GMT) – Chris John Riley (@ChrisJohnRiley) and Robin Wood (@digininja)
18:00 EST (23:00 GMT) – James Arlen (@myrcurial)
19:00 EST (00:00 GMT) – Nick Owen (@wikidsystems)
20:00 EST (01:00 GMT) – Clean-up and the usual banter…

The podcast will be streamed live via hak5radio.com and IRC: irc.freenode.net #securityjustice will be used for audience participation.

Hacker Public Radio host Finux interviews Chris John Riley and Frank Breedijk about their visit of Defcon 17.

http://hackerpublicradio.org/eps/hpr0420.mp3

As reported here: http://www.goodgearguide.com.au/article/312438/security_certificate_warnings_don_t_work_researchers_say

“In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

“Everyone knew that there was a problem with these warnings,” said Joshua Sunshine, a Carnegie Mellon graduate student and one of the paper’s co-authors. “Our study showed dramatically how big the problem was.” …

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

“That’s sort of a backwards understanding of what these messages mean,” Sunshine said. “The message is validating that you’re visiting the site you think you’re visiting, not that the site is trustworthy.”

In the age of immersive 3D graphics on your telephone, it’s always fun to remember what interfaces used to look like:

http://www.businessinsider.com/versions-10-of-todays-most-popular-apps-2009-6

Of course, all the UNIX guys here can just look at their current shell to see what they looked like 20 years ago.  I have to admit that design has held up awfully well!

As seen on Macrumors.com, a Dutch company Layer (yeah Netherlands!) has the first augmented reality browser working on a mobile phone!

“A new augmented reality app called Layar is making the rounds on the web as an example of what can be done with Augmented Reality. Layer  is described as the world’s first mobile augmented reality browser.

Layar shows you what is around you by displaying realtime digital information on top of reality through the camera of the mobile phone. Just flip through the directory of layers and find ATM’s, bars, houses for sale, hotels and other cool stuff around you. The app accomplishes this through the use of the Compass, camera and GPS embedded within the phone…

The app is first available for the Android devices but they are working hard on porting it to other platforms “with a prime focus on the iPhone 3G S.”

Time to get patching!

As seen on slashdot:  http://it.slashdot.org/story/09/06/09/2243247/Microsoft-Sets-Record-With-Monster-Patch-Tuesday

“Microsoft today issued 10 security updates that patched a record 31 vulnerabilities in Windows, Internet Explorer, Excel, Word, Windows Search and other programs, including 18 bugs marked ‘critical.’ Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE. The total bug count was the most patched by Microsoft in a single month since the company began regularly scheduled updates in 2003. The previous record of 26 vulnerabilities patched occurred in both August 2008 and August 2006. ‘This is a very broad bunch,’ said Wolfgang Kandek, CTO at Qualys, ‘compared to last month, which was really all about PowerPoint. You’ve got to work everywhere, servers and workstations, and even Macs if you have them. It’s not getting any better, the number of vulnerabilities [Microsoft discloses] continues to grow.”